Merge branch 'devel' of https://github.com/ansible/ansible-tower into wf_rbac_prompt

awx/main/tests/functional/api/test_job_template.py

@@ -3,12 +3,11 @@ import mock
 
 # AWX
 from awx.api.serializers import JobTemplateSerializer, JobLaunchSerializer
-from awx.main.models.jobs import JobTemplate, Job
+from awx.main.models.jobs import Job
 from awx.main.models.projects import ProjectOptions
 from awx.main.migrations import _save_password_keys as save_password_keys
 
 # Django
-from django.test.client import RequestFactory
 from django.core.urlresolvers import reverse
 from django.apps import apps
 
@@ -141,131 +140,7 @@ def test_job_template_role_user(post, organization_factory, job_template_factory
     response = post(url, dict(id=jt_objects.job_template.execute_role.pk), objects.superusers.admin)
     assert response.status_code == 204
 
-# Test protection against limited set of validation problems
 
-@pytest.mark.django_db
-def test_bad_data_copy_edit(admin_user, project):
-    """
-    If a required resource (inventory here) was deleted, copying not allowed
-    because doing so would caues a validation error
-    """
-
-    jt_res = JobTemplate.objects.create(
-        job_type='run',
-        project=project,
-        inventory=None,  ask_inventory_on_launch=False, # not allowed
-        credential=None, ask_credential_on_launch=True,
-        name='deploy-job-template'
-    )
-    serializer = JobTemplateSerializer(jt_res)
-    request = RequestFactory().get('/api/v1/job_templates/12/')
-    request.user = admin_user
-    serializer.context['request'] = request
-    response = serializer.to_representation(jt_res)
-    assert not response['summary_fields']['can_copy']
-    assert response['summary_fields']['can_edit']
-
-# Tests for correspondence between view info and actual access
-
-@pytest.mark.django_db
-def test_admin_copy_edit(jt_copy_edit, admin_user):
-    "Absent a validation error, system admins can do everything"
-
-    # Serializer can_copy/can_edit fields
-    serializer = JobTemplateSerializer(jt_copy_edit)
-    request = RequestFactory().get('/api/v1/job_templates/12/')
-    request.user = admin_user
-    serializer.context['request'] = request
-    response = serializer.to_representation(jt_copy_edit)
-    assert response['summary_fields']['can_copy']
-    assert response['summary_fields']['can_edit']
-
-@pytest.mark.django_db
-def test_org_admin_copy_edit(jt_copy_edit, org_admin):
-    "Organization admins SHOULD be able to copy a JT firmly in their org"
-
-    # Serializer can_copy/can_edit fields
-    serializer = JobTemplateSerializer(jt_copy_edit)
-    request = RequestFactory().get('/api/v1/job_templates/12/')
-    request.user = org_admin
-    serializer.context['request'] = request
-    response = serializer.to_representation(jt_copy_edit)
-    assert response['summary_fields']['can_copy']
-    assert response['summary_fields']['can_edit']
-
-@pytest.mark.django_db
-def test_org_admin_foreign_cred_no_copy_edit(jt_copy_edit, org_admin, machine_credential):
-    """
-    Organization admins without access to the 3 related resources:
-    SHOULD NOT be able to copy JT
-    SHOULD be able to edit that job template, for nonsensitive changes
-    """
-
-    # Attach credential to JT that org admin can not use
-    jt_copy_edit.credential = machine_credential
-    jt_copy_edit.save()
-
-    # Serializer can_copy/can_edit fields
-    serializer = JobTemplateSerializer(jt_copy_edit)
-    request = RequestFactory().get('/api/v1/job_templates/12/')
-    request.user = org_admin
-    serializer.context['request'] = request
-    response = serializer.to_representation(jt_copy_edit)
-    assert not response['summary_fields']['can_copy']
-    assert response['summary_fields']['can_edit']
-
-@pytest.mark.django_db
-def test_jt_admin_copy_edit(jt_copy_edit, rando):
-    """
-    JT admins wihout access to associated resources SHOULD NOT be able to copy
-    SHOULD be able to make nonsensitive changes"""
-
-    # random user given JT admin access only
-    jt_copy_edit.admin_role.members.add(rando)
-    jt_copy_edit.save()
-
-    # Serializer can_copy/can_edit fields
-    serializer = JobTemplateSerializer(jt_copy_edit)
-    request = RequestFactory().get('/api/v1/job_templates/12/')
-    request.user = rando
-    serializer.context['request'] = request
-    response = serializer.to_representation(jt_copy_edit)
-    assert not response['summary_fields']['can_copy']
-    assert response['summary_fields']['can_edit']
-
-@pytest.mark.django_db
-def test_proj_jt_admin_copy_edit(jt_copy_edit, rando):
-    "JT admins with access to associated resources SHOULD be able to copy"
-
-    # random user given JT and project admin abilities
-    jt_copy_edit.admin_role.members.add(rando)
-    jt_copy_edit.save()
-    jt_copy_edit.project.admin_role.members.add(rando)
-    jt_copy_edit.project.save()
-
-    # Serializer can_copy/can_edit fields
-    serializer = JobTemplateSerializer(jt_copy_edit)
-    request = RequestFactory().get('/api/v1/job_templates/12/')
-    request.user = rando
-    serializer.context['request'] = request
-    response = serializer.to_representation(jt_copy_edit)
-    assert response['summary_fields']['can_copy']
-    assert response['summary_fields']['can_edit']
-
-# Functional tests - create new JT with all returned fields, as the UI does
-
-@pytest.mark.django_db
-@mock.patch.object(ProjectOptions, "playbooks", project_playbooks)
-def test_org_admin_copy_edit_functional(jt_copy_edit, org_admin, get, post):
-    get_response = get(reverse('api:job_template_detail', args=[jt_copy_edit.pk]), user=org_admin)
-    assert get_response.status_code == 200
-    assert get_response.data['summary_fields']['can_copy']
-
-    post_data = get_response.data
-    post_data['name'] = '%s @ 12:19:47 pm' % post_data['name']
-    post_response = post(reverse('api:job_template_list', args=[]), user=org_admin, data=post_data)
-    assert post_response.status_code == 201
-    assert post_response.data['name'] == 'copy-edit-job-template @ 12:19:47 pm'
 
 @pytest.mark.django_db
 @mock.patch.object(ProjectOptions, "playbooks", project_playbooks)
@@ -277,7 +152,6 @@ def test_jt_admin_copy_edit_functional(jt_copy_edit, rando, get, post):
 
     get_response = get(reverse('api:job_template_detail', args=[jt_copy_edit.pk]), user=rando)
     assert get_response.status_code == 200
-    assert not get_response.data['summary_fields']['can_copy']
 
     post_data = get_response.data
     post_data['name'] = '%s @ 12:19:47 pm' % post_data['name']

awx/main/tests/functional/api/test_rbac_displays.py

@@ -0,0 +1,323 @@
+import pytest
+
+from django.core.urlresolvers import reverse
+from django.test.client import RequestFactory
+
+from awx.main.models.jobs import JobTemplate
+from awx.main.models import Role, Group
+from awx.main.access import (
+    access_registry,
+    get_user_capabilities
+)
+from awx.main.utils import cache_list_capabilities
+from awx.api.serializers import JobTemplateSerializer
+
+# This file covers special-cases of displays of user_capabilities
+# general functionality should be covered fully by unit tests, see:
+#   awx/main/tests/unit/api/test_serializers.py :: 
+#           TestJobTemplateSerializerGetSummaryFields.test_copy_edit_standard
+#   awx/main/tests/unit/test_access.py ::
+#           test_user_capabilities_method
+
+
+@pytest.mark.django_db
+class TestOptionsRBAC:
+    """
+    Several endpoints are relied-upon by the UI to list POST as an
+    allowed action or not depending on whether the user has permission
+    to create a resource.
+    """
+
+    def test_inventory_group_host_can_add(self, inventory, alice, options):
+        inventory.admin_role.members.add(alice)
+
+        response = options(reverse('api:inventory_hosts_list', args=[inventory.pk]), alice)
+        assert 'POST' in response.data['actions']
+        response = options(reverse('api:inventory_groups_list', args=[inventory.pk]), alice)
+        assert 'POST' in response.data['actions']
+
+    def test_inventory_group_host_can_not_add(self, inventory, bob, options):
+        inventory.read_role.members.add(bob)
+
+        response = options(reverse('api:inventory_hosts_list', args=[inventory.pk]), bob)
+        assert 'POST' not in response.data['actions']
+        response = options(reverse('api:inventory_groups_list', args=[inventory.pk]), bob)
+        assert 'POST' not in response.data['actions']
+
+    def test_user_list_can_add(self, org_member, org_admin, options):
+        response = options(reverse('api:user_list'), org_admin)
+        assert 'POST' in response.data['actions']
+
+    def test_user_list_can_not_add(self, org_member, org_admin, options):
+        response = options(reverse('api:user_list'), org_member)
+        assert 'POST' not in response.data['actions']
+
+
+@pytest.mark.django_db
+class TestJobTemplateCopyEdit:
+    """
+    Tests contain scenarios that were raised as issues in the past,
+    which resulted from failed copy/edit actions even though the buttons
+    to do these actions were displayed.
+    """
+
+    @pytest.fixture
+    def jt_copy_edit(self, job_template_factory, project):
+        objects = job_template_factory(
+            'copy-edit-job-template',
+            project=project)
+        return objects.job_template
+
+    def fake_context(self, user):
+        request = RequestFactory().get('/api/v1/resource/42/')
+        request.user = user
+
+        class FakeView(object):
+            pass
+
+        fake_view = FakeView()
+        fake_view.request = request
+        context = {}
+        context['view'] = fake_view
+        context['request'] = request
+        return context
+
+    def test_validation_bad_data_copy_edit(self, admin_user, project):
+        """
+        If a required resource (inventory here) was deleted, copying not allowed
+        because doing so would caues a validation error
+        """
+
+        jt_res = JobTemplate.objects.create(
+            job_type='run',
+            project=project,
+            inventory=None,  ask_inventory_on_launch=False, # not allowed
+            credential=None, ask_credential_on_launch=True,
+            name='deploy-job-template'
+        )
+        serializer = JobTemplateSerializer(jt_res)
+        serializer.context = self.fake_context(admin_user)
+        response = serializer.to_representation(jt_res)
+        assert not response['summary_fields']['user_capabilities']['copy']
+        assert response['summary_fields']['user_capabilities']['edit']
+
+    def test_sys_admin_copy_edit(self, jt_copy_edit, admin_user):
+        "Absent a validation error, system admins can do everything"
+        serializer = JobTemplateSerializer(jt_copy_edit)
+        serializer.context = self.fake_context(admin_user)
+        response = serializer.to_representation(jt_copy_edit)
+        assert response['summary_fields']['user_capabilities']['copy']
+        assert response['summary_fields']['user_capabilities']['edit']
+
+    def test_org_admin_copy_edit(self, jt_copy_edit, org_admin):
+        "Organization admins SHOULD be able to copy a JT firmly in their org"
+        serializer = JobTemplateSerializer(jt_copy_edit)
+        serializer.context = self.fake_context(org_admin)
+        response = serializer.to_representation(jt_copy_edit)
+        assert response['summary_fields']['user_capabilities']['copy']
+        assert response['summary_fields']['user_capabilities']['edit']
+
+    def test_org_admin_foreign_cred_no_copy_edit(self, jt_copy_edit, org_admin, machine_credential):
+        """
+        Organization admins without access to the 3 related resources:
+        SHOULD NOT be able to copy JT
+        SHOULD be able to edit that job template, for nonsensitive changes
+        """
+
+        # Attach credential to JT that org admin can not use
+        jt_copy_edit.credential = machine_credential
+        jt_copy_edit.save()
+
+        serializer = JobTemplateSerializer(jt_copy_edit)
+        serializer.context = self.fake_context(org_admin)
+        response = serializer.to_representation(jt_copy_edit)
+        assert not response['summary_fields']['user_capabilities']['copy']
+        assert response['summary_fields']['user_capabilities']['edit']
+
+    def test_jt_admin_copy_edit(self, jt_copy_edit, rando):
+        """
+        JT admins wihout access to associated resources SHOULD NOT be able to copy
+        SHOULD be able to make nonsensitive changes"""
+
+        # random user given JT admin access only
+        jt_copy_edit.admin_role.members.add(rando)
+        jt_copy_edit.save()
+
+        serializer = JobTemplateSerializer(jt_copy_edit)
+        serializer.context = self.fake_context(rando)
+        response = serializer.to_representation(jt_copy_edit)
+        assert not response['summary_fields']['user_capabilities']['copy']
+        assert response['summary_fields']['user_capabilities']['edit']
+
+    def test_proj_jt_admin_copy_edit(self, jt_copy_edit, rando):
+        "JT admins with access to associated resources SHOULD be able to copy"
+
+        # random user given JT and project admin abilities
+        jt_copy_edit.admin_role.members.add(rando)
+        jt_copy_edit.save()
+        jt_copy_edit.project.admin_role.members.add(rando)
+        jt_copy_edit.project.save()
+
+        serializer = JobTemplateSerializer(jt_copy_edit)
+        serializer.context = self.fake_context(rando)
+        response = serializer.to_representation(jt_copy_edit)
+        assert response['summary_fields']['user_capabilities']['copy']
+        assert response['summary_fields']['user_capabilities']['edit']
+
+
+@pytest.fixture
+def mock_access_method(mocker):
+    mock_method = mocker.MagicMock()
+    mock_method.return_value = 'foobar'
+    mock_method.__name__ = 'bars' # Required for a logging statement
+    return mock_method
+
+@pytest.mark.django_db
+class TestAccessListCapabilities:
+    """
+    Test that the access_list serializer shows the exact output of the RoleAccess.can_attach
+     - looks at /api/v1/inventories/N/access_list/
+     - test for types: direct, indirect, and team access
+    """
+
+    extra_kwargs = dict(skip_sub_obj_read_check=False, data={})
+
+    def _assert_one_in_list(self, data, sublist='direct_access'):
+        "Establish that exactly 1 type of access exists so we know the entry is the right one"
+        assert len(data['results']) == 1
+        assert len(data['results'][0]['summary_fields'][sublist]) == 1
+    
+    def test_access_list_direct_access_capability(
+            self, inventory, rando, get, mocker, mock_access_method):
+        inventory.admin_role.members.add(rando)
+
+        with mocker.patch.object(access_registry[Role][0], 'can_unattach', mock_access_method):
+            response = get(reverse('api:inventory_access_list', args=(inventory.id,)), rando)
+
+        mock_access_method.assert_called_once_with(inventory.admin_role, rando, 'members', **self.extra_kwargs)
+        self._assert_one_in_list(response.data)
+        direct_access_list = response.data['results'][0]['summary_fields']['direct_access']
+        assert direct_access_list[0]['role']['user_capabilities']['unattach'] == 'foobar'
+
+    def test_access_list_indirect_access_capability(
+            self, inventory, organization, org_admin, get, mocker, mock_access_method):
+        with mocker.patch.object(access_registry[Role][0], 'can_unattach', mock_access_method):
+            response = get(reverse('api:inventory_access_list', args=(inventory.id,)), org_admin)
+
+        mock_access_method.assert_called_once_with(organization.admin_role, org_admin, 'members', **self.extra_kwargs)
+        self._assert_one_in_list(response.data, sublist='indirect_access')
+        indirect_access_list = response.data['results'][0]['summary_fields']['indirect_access']
+        assert indirect_access_list[0]['role']['user_capabilities']['unattach'] == 'foobar'
+
+    def test_access_list_team_direct_access_capability(
+            self, inventory, team, team_member, get, mocker, mock_access_method):
+        team.member_role.children.add(inventory.admin_role)
+
+        with mocker.patch.object(access_registry[Role][0], 'can_unattach', mock_access_method):
+            response = get(reverse('api:inventory_access_list', args=(inventory.id,)), team_member)
+
+        mock_access_method.assert_called_once_with(inventory.admin_role, team.member_role, 'parents', **self.extra_kwargs)
+        self._assert_one_in_list(response.data)
+        direct_access_list = response.data['results'][0]['summary_fields']['direct_access']
+        assert direct_access_list[0]['role']['user_capabilities']['unattach'] == 'foobar'
+
+
+@pytest.mark.django_db
+def test_team_roles_unattach(mocker, team, team_member, inventory, mock_access_method, get):
+    team.member_role.children.add(inventory.admin_role)
+
+    with mocker.patch.object(access_registry[Role][0], 'can_unattach', mock_access_method):
+        response = get(reverse('api:team_roles_list', args=(team.id,)), team_member)
+
+    # Did we assess whether team_member can remove team's permission to the inventory?
+    mock_access_method.assert_called_once_with(
+        inventory.admin_role, team.member_role, 'parents', skip_sub_obj_read_check=True, data={})
+    assert response.data['results'][0]['summary_fields']['user_capabilities']['unattach'] == 'foobar'
+
+@pytest.mark.django_db
+def test_user_roles_unattach(mocker, organization, alice, bob, mock_access_method, get):
+    # Add to same organization so that alice and bob can see each other
+    organization.member_role.members.add(alice)
+    organization.member_role.members.add(bob)
+
+    with mocker.patch.object(access_registry[Role][0], 'can_unattach', mock_access_method):
+        response = get(reverse('api:user_roles_list', args=(alice.id,)), bob)
+
+    # Did we assess whether bob can remove alice's permission to the inventory?
+    mock_access_method.assert_called_once_with(
+        organization.member_role, alice, 'members', skip_sub_obj_read_check=True, data={})
+    assert response.data['results'][0]['summary_fields']['user_capabilities']['unattach'] == 'foobar'
+
+@pytest.mark.django_db
+def test_team_roles_unattach_functional(team, team_member, inventory, get):
+    team.member_role.children.add(inventory.admin_role)
+    response = get(reverse('api:team_roles_list', args=(team.id,)), team_member)
+    # Team member should be able to remove access to inventory, becauase
+    # the inventory admin_role grants that ability
+    assert response.data['results'][0]['summary_fields']['user_capabilities']['unattach']
+
+@pytest.mark.django_db
+def test_user_roles_unattach_functional(organization, alice, bob, get):
+    organization.member_role.members.add(alice)
+    organization.member_role.members.add(bob)
+    response = get(reverse('api:user_roles_list', args=(alice.id,)), bob)
+    # Org members can not revoke the membership of other members
+    assert not response.data['results'][0]['summary_fields']['user_capabilities']['unattach']
+
+
+@pytest.mark.django_db
+def test_prefetch_jt_capabilities(job_template, rando):
+    job_template.execute_role.members.add(rando)
+    qs = JobTemplate.objects.all()
+    cache_list_capabilities(qs, ['admin', 'execute'], JobTemplate, rando)
+    assert qs[0].capabilities_cache == {'edit': False, 'start': True}
+
+@pytest.mark.django_db
+def test_prefetch_group_capabilities(group, rando):
+    group.inventory.adhoc_role.members.add(rando)
+    qs = Group.objects.all()
+    cache_list_capabilities(qs, ['inventory.admin', 'inventory.adhoc'], Group, rando)
+    assert qs[0].capabilities_cache == {'edit': False, 'adhoc': True}
+
+@pytest.mark.django_db
+def test_prefetch_jt_copy_capability(job_template, project, inventory, machine_credential, rando):
+    job_template.project = project
+    job_template.inventory = inventory
+    job_template.credential = machine_credential
+    job_template.save()
+
+    qs = JobTemplate.objects.all()
+    cache_list_capabilities(qs, [{'copy': [
+        'project.use', 'inventory.use', 'credential.use',
+        'cloud_credential.use', 'network_credential.use'
+    ]}], JobTemplate, rando)
+    assert qs[0].capabilities_cache == {'copy': False}
+
+    project.use_role.members.add(rando)
+    inventory.use_role.members.add(rando)
+    machine_credential.use_role.members.add(rando)
+
+    cache_list_capabilities(qs, [{'copy': [
+        'project.use', 'inventory.use', 'credential.use',
+        'cloud_credential.use', 'network_credential.use'
+    ]}], JobTemplate, rando)
+    assert qs[0].capabilities_cache == {'copy': True}
+
+@pytest.mark.django_db
+def test_group_update_capabilities_possible(group, inventory_source, admin_user):
+    group.inventory_source = inventory_source
+    group.save()
+
+    capabilities = get_user_capabilities(admin_user, group, method_list=['start'])
+    assert capabilities['start']
+
+@pytest.mark.django_db
+def test_group_update_capabilities_impossible(group, inventory_source, admin_user):
+    inventory_source.source = ""
+    inventory_source.save()
+    group.inventory_source = inventory_source
+    group.save()
+
+    capabilities = get_user_capabilities(admin_user, group, method_list=['start'])
+    assert not capabilities['start']
+

awx/main/tests/unit/api/serializers/test_job_template_serializers.py

@@ -6,9 +6,13 @@ import mock
 from awx.api.serializers import (
     JobTemplateSerializer,
 )
+from awx.api.views import JobTemplateDetail
 from awx.main.models import (
+    Role,
+    User,
     Job,
 )
+from rest_framework.test import APIRequestFactory
 
 #DRF
 from rest_framework import serializers
@@ -77,21 +81,33 @@ class TestJobTemplateSerializerGetSummaryFields():
         summary = get_summary_fields_mock_and_run(JobTemplateSerializer, job_template)
         assert 'survey' not in summary
 
-    @pytest.mark.skip(reason="RBAC needs to land")
-    def test_can_copy_true(self, mocker, job_template):
-        pass
+    def test_copy_edit_standard(self, mocker, job_template_factory):
+        """Verify that the exact output of the access.py methods
+        are put into the serializer user_capabilities"""
 
-    @pytest.mark.skip(reason="RBAC needs to land")
-    def test_can_copy_false(self, mocker, job_template):
-        pass
+        jt_obj = job_template_factory('testJT', project='proj1', persisted=False).job_template
+        jt_obj.id = 5
+        jt_obj.admin_role = Role(id=9, role_field='admin_role')
+        jt_obj.execute_role = Role(id=8, role_field='execute_role')
+        jt_obj.read_role = Role(id=7, role_field='execute_role')
+        user = User(username="auser")
+        serializer = JobTemplateSerializer(job_template)
+        serializer.show_capabilities = ['copy', 'edit']
+        serializer._summary_field_labels = lambda self: []
+        serializer._recent_jobs = lambda self: []
+        request = APIRequestFactory().get('/api/v1/job_templates/42/')
+        request.user = user
+        view = JobTemplateDetail()
+        view.request = request
+        serializer.context['view'] = view
 
-    @pytest.mark.skip(reason="RBAC needs to land")
-    def test_can_edit_true(self, mocker, job_template):
-        pass
+        with mocker.patch("awx.main.models.rbac.Role.get_description", return_value='Can eat pie'):
+            with mocker.patch("awx.main.access.JobTemplateAccess.can_change", return_value='foobar'):
+                with mocker.patch("awx.main.access.JobTemplateAccess.can_add", return_value='foo'):
+                    response = serializer.get_summary_fields(jt_obj)
 
-    @pytest.mark.skip(reason="RBAC needs to land")
-    def test_can_edit_false(self, mocker, job_template):
-        pass
+        assert response['user_capabilities']['copy'] == 'foo'
+        assert response['user_capabilities']['edit'] == 'foobar'
 
 class TestJobTemplateSerializerValidation(object):
 

awx/main/tests/unit/models/test_job_template_unit.py

@@ -50,3 +50,32 @@ def test_job_template_survey_password_redaction(job_template_with_survey_passwor
     """Tests the JobTemplate model's funciton to redact passwords from
     extra_vars - used when creating a new job"""
     assert job_template_with_survey_passwords_unit.survey_password_variables() == ['secret_key', 'SSN']
+
+def test_job_template_survey_variable_validation(job_template_factory):
+    objects = job_template_factory(
+        'survey_variable_validation',
+        organization='org1',
+        inventory='inventory1',
+        credential='cred1',
+        persisted=False,
+    )
+    obj = objects.job_template
+    obj.survey_spec = {
+        "description": "",
+        "spec": [
+            {
+                "required": True,
+                "min": 0,
+                "default": "5",
+                "max": 1024,
+                "question_description": "",
+                "choices": "",
+                "variable": "a",
+                "question_name": "Whosyourdaddy",
+                "type": "text"
+            }
+        ],
+        "name": ""
+    }
+    obj.survey_enabled = True
+    assert obj.survey_variable_validation({"a": 5}) == ["Value 5 for 'a' expected to be a string."]

awx/main/tests/unit/test_access.py

@@ -134,3 +134,28 @@ class TestWorkflowAccessMethods:
             with mock.patch('awx.main.access.get_object_or_400', mock_get_object):
                 assert access.can_add({'organization': 1})
 
+
+@pytest.mark.django_db
+def test_user_capabilities_method():
+    """Unit test to verify that the user_capabilities method will defer
+    to the appropriate sub-class methods of the access classes.
+    Note that normal output is True/False, but a string is returned
+    in these tests to establish uniqueness.
+    """
+
+    class FooAccess(BaseAccess):
+        def can_change(self, obj, data):
+            return 'bar'
+
+        def can_add(self, data):
+            return 'foobar'
+
+    user = User(username='auser')
+    foo_access = FooAccess(user)
+    foo = object()
+    foo_capabilities = foo_access.get_user_capabilities(foo, ['edit', 'copy'])
+    assert foo_capabilities == {
+        'edit': 'bar',
+        'copy': 'foobar'
+    }
+

awx/main/tests/unit/test_network_credential.py

@@ -74,6 +74,7 @@ def test_net_cred_ssh_agent(mocker, get_ssh_version):
         mocker.patch.object(run_job, 'should_use_proot', return_value=False)
         mocker.patch.object(run_job, 'run_pexpect', return_value=('successful', 0))
         mocker.patch.object(run_job, 'open_fifo_write', return_value=None)
+        mocker.patch.object(run_job, 'post_run_hook', return_value=None)
 
         run_job.run(mock_job.id)
         assert run_job.update_model.call_count == 3